Sacramento admits to tracking welfare recipients’ license plates

As the American Civil Liberties Union (ACLU) found out in 2015 through the Freedom of Information Act, the US Drug Enforcement Administration (DEA) has for years been building a massive national license plate reader (LPR) database that it shares with federal and local authorities, with no clarity on whether courts are overseeing its use.

That blasé approach to mass surveillance of drivers is holding steady, as evidenced by recent revelations about California using an LPR database to track down welfare cheats.

It’s doing so in a manner that’s against the law. As the Electronic Frontier Foundation (EFF) noted when it revealed the surveillance two weeks ago, “California law is crystal clear” on this: any entity – including government agencies such as those that administer welfare programs – that access data collected by automated license plate readers (ALPRs) must implement a privacy and usage policy that ensures that use of this sensitive information “is consistent with respect for individuals’ privacy and civil liberties.”

ALPRs snap photos of all license plates from street poles and police cars as vehicles drive by. To legally get at those images, the Sacramento County Department of Human Assistance (DHA) should have had a policy that includes periodic audits. Also, each time that LPR data was looked up, a purpose should have been recorded.

But for the two years preceding the EFF’s California Public Records Act request, the DHA didn’t tick off those two basic legal requirements – or if they did, it didn’t show up in the logs seen by the EFF.

In fact, between June 2016 through July 2018, 22 employees working on welfare fraud searched ALPR data more than 1,000 times – all without privacy policies posted online or written anywhere, as required by law. Some employees only dipped a toe into the database, only running a single search, while others ran more than 100 searches. One employee ran 214 searches over the course of 20 months, the EFF found.

There were no audits for any of this data access. The EFF also couldn’t find that the reasons for the ALPR data searches were recorded, although the DHA claims that they were.

DHA Director Ann Edwards told the Sacramento Bee that the county’s welfare fraud investigators use the ALPR data to find suspects and collect evidence to prove cases of fraud. She said that the decision to use such data is determined on a case-by-case basis “depending on the investigative needs of the case.”

It was also done without a clue that the agency needed a policy before employees could legally access that data. The DHA claims that it had no idea that a policy, plus a log of reasons for access, plus monthly audits, are required.

The EFF said that the agency spent a week playing catch-up after the civil liberties group asked about the issue, whipping together a privacy policy and posting it to its website. The new policy includes a monthly audit process.

The data in question wasn’t obtained by the DHA. Rather, it paid for it. According to contracts and invoices obtained by the EFF, Sacramento County paid more than $10,000 – about $5,000 per year – for access to data held by a vendor called Vigilant Solutions. Those contracts were signed without going through the competitive bidding process, the EFF notes.

Vigilant is the leading vendor of LPR data. As of 2016, the Atlantic reported that Vigilant had amassed roughly 2.2 billion license-plate photos and was capturing and permanently storing about 80 million additional geotagged images per month.

Vigilant’s dataset has continued to burgeon. In February 2018, news emerged that the LPR vendor would be providing the Department of Homeland Security’s (DHS’s) Immigration and Customs Enforcement (ICE) arm with agency-wide access to its nationwide database, to enable ICE to track license plates across the country. That gives ICE access to billions of license plate records and new powers of real-time location tracking: a profound source of concern to civil libertarians.

Vigilant doesn’t necessarily collect all the data itself. Rather, it acquires data from partners such as car repo agencies and other private groups. Vigilant also partners with police departments, picking up yet more data from camera-equipped police cars.

At the time of ICE gaining access to the data, Jay Stanley, a senior policy analyst who studies LPRs with the ACLU, said that the biggest concern for civil libertarians is the scale of Vigilant’s network, which it’s put together almost completely outside of public accountability:

If ICE were to propose a system that would do what Vigilant does, there would be a huge privacy uproar, and I don’t think Congress would approve it. But because it’s a private contract, they can sidestep that process.

Besides signing those $10,000+ worth of contracts with Vigilant, Sacramento’s DHA also signed an agreement forbidding it from talking to the media about the ALPR program without Vigilant Solutions’ written permission. It also agreed not to use information about Vigilant Solutions in “any manner that is disparaging.”

Why is it even necessary to investigate welfare fraud to this extent?

DHA officials acknowledged in 2013 that “the percentage of fraud cases is statistically low.” In 2012, DHA found fraud in only 0.02% of all welfare cases, or 6.25% of all fraud referrals. It works out to 500 of some 8,000 fraud referrals (out of nearly 200,000 people receiving assistance in Sacramento).

Granted, of late, the DHA has noted higher welfare fraud rates, which includes things such as failing to report income or claiming care for a child who doesn’t actually live with the recipient. The DHA told the Sacramento Bee that since June 2016, when the county first started using ALPR data, its investigators discovered fraud in about 13,000 of the 35,412 fraud referrals they investigated: about 37% of the cases.

Edwards told the Sacramento Bee that the DHA’s investigators are using ALPR data about 2.5% of the time: not heavy usage at all, she said:

It doesn’t appear to be overused. I think we use it very judiciously and only when needed to investigate fraud.

She also said that DHA is already following other parts of California’s privacy law (a law that was passed at the beginning of 2016, near the time the agency started using the ALPR data), including employees justifying their use of the data.

Each time a criminal investigator accesses the information, they… must document the reason why the data is being requested from the system.

As far as the monthly audits go, Edwards told the Sacramento Bee that they would start last week and would happen every two months:

We will be doing a random sampling of times [ALPR data] has been used in the past, in order to confirm that it hasn’t been used inappropriately. If we find as a result of our review that it was used inappropriately, disciplinary action could be taken.

Or hey, how about this instead, suggested EFF investigator Dave Maass: stop using the data immediately and do an investigation of the DHA’s past use. That’s the only way to figure out what welfare fraud investigators were really searching for, he told the Sacramento Bee. For all we know DHA employees could have been doing anything from…

Investigating a major fraud case to spying on their ex-spouses. Were they looking up people in Texas, people on the other side of the country? We just don’t know.

Subscribe to PHI via Email

Enter your email address to subscribe to PHI and receive notifications of new posts by email.

Join 3,340 other subscribers

Email Address

PROFESSIONAL HACKERS INDIA

We are proud to offer premier information security updates, IT updates, Core Tools And Techniques across the globe. Our mission is to make the internet more secure, more trendy, more aware and more reliable.